IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Office of the CIO

Transcription

1 IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Contact: Peter Watkins Phone: Version: 1.0 Date: March 5, 2009

2 Document Revision History Date Description of Change Issued by Version No. 18 November 2008 Initial draft A Hughes February 2009 Updated draft A Hughes March 2009 Updated draft A Hughes March 2009 Final version A Hughes 1.0 Page i of xiv

3 Table of Contents 1 Government Services and Your Identity Information Government plays a key role Your identity information is valuable and worth protecting You want, need and expect efficient services but not at the expense of personal privacy British Columbia is exploring a better way BC Identity Information Management Policy, fair information practices and The 7 Laws of Identity Carefully designed architecture Tight control over identity management services Secure sharing of identity information where authorized Operational management Hosting of identity services Decoupling of authentication services Standardized identity information practices Identity Repair Services Careful choice of technology Cryptographic functions Smart cards Privacy enhancing features summary... 9 Appendix A Glossary 10 Page i of xiv

4 1 Government Services and Your Identity Information As British Columbians become more reliant on information management and information technology (IM/IT), government has recognized that client-centered service delivery will only be achieved when technology is leveraged and information is shared across government. The Office of the Chief Information Officer is implementing an Information Management/Information Technology (IM/IT) plan for government to improve information sharing to better achieve citizen outcomes. The IM/IT plan is about securely connecting systems and people, identifying evidence-based outcomes and making sound investment decisions, all supported by a next generation information structure. British Columbia is leading the way. As service delivery transforms to a citizen-centric model, we are addressing the parallel transformation of identity information management in the public sector. This paper outlines privacy enhancing features of the BC Provincial Identity Information management solution Government plays a key role Documented identity information about individuals begins and ends with government. Government records Vital Events such as births and deaths and also Licensing events such as program eligibility. These documents form the foundation that underpins the identity environment. There is inherent trust placed in official documents created by governments, stemming from their stability and authoritative role in society. The paper-based world of identity information is built up on a trusted chain of documentation and personal interactions. A house of cards is built that allows people to present a composite picture of their identity to conduct business and receive or provide services. There are weaknesses in the paper identity system that can lead to unintentional mistakes or can be exploited by identity thieves. The shift to online service delivery is also pushing government to enhance and extend the identity ecosystem so that online identity information is as trusted and relied upon as paper-based identity information. 1.2 Your identity information is valuable and worth protecting The value of identity information is increasing. There is a shift underway to put the person at the focal point of service delivery the citizen centric model. Government and businesses are improving, coordinating and extending services for consolidated service delivery. Central to these improvements is a reliance on accurate, high quality identification of service recipients in order to simplify the service experience for people. The increasing use of identity information as the coordination mechanism for consolidated service delivery means that identity 1 Additional material is available on the web site of the Office of the Chief Information Officer Page 1 of 14

5 information is increasing in value both to people, who receive services, and to criminals who want to steal services and assets. The historical techniques of face-to-face interactions that have supported service delivery and identity verification in the past are being replaced with self-service and online services, resulting in the need to strengthen identification processes. Without careful design and planning, moving to new identification processes will increase, rather than decrease risk. Criminals can exploit identity information at expense of ordinary people: fraud and identity theft are growing rapidly. New approaches and systems that restore the same degree of identity certainty as in the past are needed to enable the service delivery shift. 1.3 You want, need and expect efficient services but not at the expense of personal privacy Government is expected to provide coordinated, efficient services. We hear that you want: reduction in red tape and duplication of effort; your care providers to have access to all relevant information at the right time in order to help you; and, government agencies to coordinate and share information appropriately in order to protect you and prevent bad outcomes. For example, for child protection services, several Ministries and programs need to interact closely. Also, courts, corrections services and related programs need to share information in order to protect public safety. Equally important is the protection of centralized identity services from insider abuse and unauthorized surveillance. Identity systems must be built with privacy as a design objective. You should not have to pay for improved services with your personal privacy. Well managed identity information is the key. Government must protect personal information and allow citizens to be active participants in deciding how their identity information should be collected, used and shared, in support of service delivery. Clients need to be identified accurately by government programs to ensure that services are delivered to the right person at the right time. Incorrect identification can have significant consequences, for example if medications are prescribed to the wrong person, harmful drug interactions may occur. Service providers need to be identified to a high degree of certainty to ensure that they can only access client information where authorized. For example, patient records should only be accessible by people directly involved in their care. Programs that have a need to share information about clients need to identify those clients in a consistent and accurate way to reduce the risk of incorrect information being communicated. This allows for coordinated service delivery. 1.4 British Columbia is exploring a better way A variety of solutions have been implemented in different places to address the need for high quality shared identity information. These vary in effectiveness and privacy enhancement as a government, we have studied these options and believe that we are building a better way. At one end of the spectrum, some jurisdictions have built centralized, monolithic citizen databases with a single citizen number for each person. These unique identifiers are then threaded through all service Page 2of 14

6 programs. The ability to share information and coordinate records is greatly simplified, as is the potential to profile citizens. As well, a privacy breach jeopardizes the identity information used to access financial records and other databases. At the other end of the spectrum is the free-for-all where each service creates service numbers to identify their own participants, and is unable to share them with other service providers. The unlinkability of the identity information between information silos is inherently privacy protective, but greatly hinders the ability to share information when required for improved or coordinated service delivery. It also reduces the ability of programs to detect fraud or double-dipping. A balance must be struck where government identity services are established to ensure accurate identification of people when needed, by authorized individuals, and only to the extent required. The government identity service needs to be tightly controlled and monitored to ensure compliance to legislation and policy. Service providers interact with the program to obtain accurate client identity information when needed. The government identity service can also manage identity information to prevent unauthorized threading of identity numbers from program to program. Page 3of 14

7 2 BC Identity Information Management The BC Identity Information Management solution is designed to prevent citizen profiling through a combination of policy, practices, architecture and technologies. 2.1 Policy, fair information practices and The 7 Laws of Identity The BC Identity Information Management Initiative 2 has established a set of policy, design, architecture and governance principles to guide the development of the provincial solution. These principles are based in part on the Canadian Standards Association Model Code for the Protection of Personal Information and Kim Cameron s 7 Laws of Identity 3. The principles include: Justifiable and Necessary: The use of an individual s identity information should be legally justified and necessary. Risk-Based and Proportionate: The selection of identity information management processes should be risk-based and should be proportional to the stated business goals of the program or service. Citizen choice, consent and control: Citizens should have the maximum amount of choice, consent and control over the use of service channels and identity credentials and the transfer of their identity information from one party to another. Limited information for a Limited use: The least amount of identity information possible should be collected, used, retained and disclosed by the least number of parties in any identity information transaction. Limited Ability to Link and Profile Identity Information: The ability to link identity information across unrelated programs and services and create profiles of individuals should be limited and strictly controlled (i.e., only permitted with legal authority). Trusted and Secure Environment: Trust should be established between all parties through notice, agreements, and secure and accurate information management processes. Transparency and Mutual Accountability: Activities and decisions relating to the identity information management processes should be open, transparent and understandable to all parties. All parties should have a clear understanding of their role, responsibilities and associated risks and should be accountable and responsible for their actions, acknowledging identity management as a collective responsibility. Citizen/User-centric: Identity information management processes should be citizen/user focused. Citizens should be integrated and empowered through intuitive processes and clear communications/interfaces and be provided with a seamless and consistent experience across programs and channels creating a less confusing service environment. 2 For information about identity management initiatives in the Province of British Columbia see 3 Available at Page 4of 14

8 2.2 Carefully designed architecture Through a process of research and analysis, the citizen-centric, claims-based identity architecture and associated technologies have been selected for the provincial solution. The claims-based identity architecture is similar to identity federation technology in that mechanisms are established to allow one service provider to use another provider s identity information to perform access control. The fundamental difference is that in the claims-based architecture, users control the identity information pathway. The claims-based architecture has several major components. Claims are simply facts about a person s identity. A Relying Party offers services and relies on claims from an Authoritative Party which is authoritative over some identity information. Identity claims are sent via the user s identity agent software which permits the user to inspect the claims, control and limit what information is transmitted to which service. Separating Relying Parties and Authoritative Parties and making identity claims flow under the control of the user are the main privacy features of the architecture. This also minimizes the possibility of unauthorized usage profiling. Unless explicitly configured to do so, Authoritative Parties, who issue identity claims, are unable to discover where claims are being used. Relying Parties, who consume identity claims, are able to view only the claims that the user presents, and no other information about them. Placing the citizen at the controlling point in the identity information flow is essential to giving them choice and control over their identity information. 2.3 Tight control over identity management services The key technique for protection of the security and privacy of identity information is the separation of identity information from eligibility information and eligibility status. This separation makes it structurally difficult, if not impossible, to build unauthorized profiles between programs. If a citizen registry is required to enable the solution, it will only store the minimum amount of identity information required to serve its function. Program identifiers and numbers will not be stored directly. Strict policies and standards for safeguarding the identity information will be enforced, which will limit the scope of privacy invasive actions that could be abused. By policy, programs will be not permitted to store program identifiers belonging to other programs. This will be confirmed by auditors who will be instructed to look for the unauthorized storage of identifiers. Page 5of 14

9 2.3.1 Secure sharing of identity information where authorized Integration Infrastructure Program (IIP) A central service 4, the Privacy Protective Identity Broker, will be established for secure sharing of identity information between programs where authorized. The service acts as a safe deposit box that programs will use to store encrypted versions of program service numbers. The key attributes of this service are: Programs will store encrypted versions of their program identifiers, such as Personal Health Numbers or Corrections Service Numbers; The service will be a blind store, in that it will be unable to decrypt or otherwise interpret the identity information stored within it; When one program needs information about a client from another program, it will ask the broker to issue a handle that represents the client in question. The handle is usable for a short period of time and cannot be used to profile clients. The handle is passed to the target program, which uses it to retrieve the correct program identifier to lookup the requested information. This information is passed back to the requester along with the handle. Note that at no time are the program identifiers exchanged between the programs, thus preventing profiling or the collection of program identifiers Operational management High levels of reliability, stability, security and availability for the provincial identity solution are required. To achieve this, stringent operations management practices will be implemented. These include service level agreements, standard operations practices, capacity management and audits. The solution will be integrated with the provincial technology environment for seamless delivery Hosting of identity services The user-centric claims-based identity solution uses a distributed pattern of identity sources. Many of the authoritative parties envisioned in the identity ecosystem will be large, well managed entities that are capable of operating according to provincial standards. For smaller organizations that want to participate in the identity federation, there will be a hosting service offered by the province. This will ensure adherence to operational and technical standards Decoupling of authentication services Authentication functions will be decoupled from online services. A risk to personal information arises when insiders are able to impersonate clients without their knowledge. This can occur if a program implements a poorly-designed authentication service. 4 A more complete description of the technology and features of this service will be available from the Provincial Identity Information Management initiative. Page 6of 14

10 In the claims-based architecture, Authoritative Parties use client authentication to enable the release of claims to the user s identity agent. Authoritative Parties will be required to adhere to provincial standards for encryption, authentication methods, and data elements and data protection. In general, the strength of authentication technology required will be in proportion to the quality and value of the identity claims being issued. We anticipate that at the highest level, a smart card or chip-and-pin technology will be implemented. 2.4 Standardized identity information practices Identity information management practice standards will be established for the province to ensure that identity information is consistently collected in a privacy protective manner, with appropriate consent, client control and verification procedures. Such standards will increase the quality and accuracy of identity recording and verification, leading to increased reliability and trust. Practice standards may include: establishing proof of legal name, birth date, or residency to a given level of certainty; processes for verification of foundation documents; anti-fraud techniques; and, standards for recording identity facts. A range of electronic services will be used to support programs with their identification needs. For example, a service will be created that allows programs to confirm client identity in a privacy protective manner. A clerk would ask the client to provide their program ID or other basic information. Using this information, an inquiry to a registry containing photo ID could be made which returns the photo of the person in question, with no other personal information attached. This would allow the clerk to verify that the person they are serving is the same person that enrolled earlier, and is the valid holder of the program identifier. This would allow a program clerk to confirm the identity of the person without learning other facts about them, and to prevent photo surfing. 2.5 Identity Repair Services The shift to a citizen-centric service delivery model and the associated concentration of value into personal identity, increases the benefits and risks related to the individual. If incorrect facts about a person are recorded, or a fraudster takes over an identity, the person can be seriously impacted. The distributed nature of the user-centric identity architecture could make it very difficult for a person to resolve the problem. Identity repair services will be offered in the provincial solution to address this problem. Citizens will have a single point of contact to review and correct their identity information. The contact point would be empowered to assist the person through the complex process of identity repair. 2.6 Careful choice of technology Several technologies are being used to support the provincial identity management solution. In general, the solution will be vendor-neutral, but standards-specific. This approach will allow a variety of technology solutions to co-exist and interoperate, without requiring locking-in to a specific vendor. Page 7of 14

11 2.6.1 Cryptographic functions A range of cryptographic functions will be used to support the identity information management solution. These functions include encrypted data streams to prevent eavesdropping, digital signatures to provide message integrity, one-way cryptographic hashing to prevent data tampering or decryption, and public key infrastructure to enable verification of entities in the technical trust environment Smart cards For the highest-quality identity claims, which may be established through face to face enrolment and background corroboration, smart cards may be issued. The smart card would be used as a strong authentication technique, to ensure that the person in possession of the card is the same person that enrolled for the claims and was issued the card. The card would not be used to store claim data. The smart card would also enable the use of cryptographic keys required to support the range of cryptographic functions. Page 8of 14

12 3 Privacy enhancing features summary In summary, the BC Identity Information Management initiative has incorporated privacy as a design objective, and has many privacy enhancing features built-in: Use of the CSA Model Code for the Protection of Personal Information and Kim Cameron s 7 Laws of Identity as the basis of the initiative s principles; Use of the user-centric, claims-based architecture to put the user in direct control over identity information flows; Strict policy, standards, operational practices and enforcement to ensure tight control over identity management services; A Privacy Protective Identity Broker to enable secure and private sharing of program identifiers between sectors; Identity Repair services to help people when problems arise; and, Careful choice of technologies to enable strong security where needed. The risks associated with identity information concentration cannot be eliminated entirely. However, British Columbia has designed a thoughtful, rational and flexible solution that will allow strong privacy protections and agility to respond to adverse events. We are confident that the open dialog about the identity information solution will support this conclusion, and lead to the BC Government s overarching goal to improve information sharing to better achieve citizen outcomes. Page 9of 14

13 Appendix A. - Glossary This is an abbreviated glossary, introducing some major terms associated with the user-centric claimsbased architecture. Term Citizen Client User-Centric Models Identity information Identity Claim Authoritative Party Relying Party Description An individual acting in a personal capacity. In some instances, government services may also be provided to noncitizens. For example, a visitor from Washington applying for a BC fishing license. A person seeking or receiving a service. IDIM will use the modifiers individual client or organizational client to distinguish when necessary. Puts users, rather than identity and service providers in the center of the transaction. The user or client manages and shares his or her identity information using an identity agent which can be a browser or portable personal authentication device. Certificates from authoritative identity sources can be acquired by the user and presented when proof of identity is required by service providers. User is able to release information only as they see fit. An attribute, designation or other like information that is recorded or documented somewhere and used to distinguish a unique and particular individual or organization. Identity information is normally documented in a license or accreditation form (e.g., John Smith s birth certificate, John Smith s driver s license indicating that he is licensed to drive, John Smith has an MBA). An assertion of the truth of something which pertains to a person s identity. An identity claim could convey a single attribute such as an identifier (e.g. a student number) or it could convey that a person is part of a certain group or has certain entitlements (e.g. I am over 18, I am a company employee). A set of identity claims could provide sufficient identity attributes (e.g. name, date of birth address) to permit the identification of a unique identity of a person. A party whose authority to make claims is recognized by one or more relying parties. Claims made by recognized authoritative parties are used by relying parties to make access control decisions. Examples include: Corporate Registry for Corporations, Law Society for lawyers, College of Physicians and Surgeons for doctors, the Individual for their contact information, etc. A party that accepts a credential and its assertions to conduct a transaction with a client. Page 10of 14

14 Page 11of 14